Main Vulnerability Database Vulnerabilities #VU126312

#VU126312 Code Injection in protobuf.js

Published: April 16, 2026

Vulnerability identifier: #VU126312

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
protobuf.js

Software vendor:
protobuf.js

Description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to code injection in protobuf definition compilation when processing attacker-controlled protobuf definitions during object decoding. A remote user can inject arbitrary code into the "type" fields of protobuf definitions to execute arbitrary code.

Exploitation requires control over the protobuf definition files used by the application.

Remediation

Install security update from vendor's website.

External links

https://github.com/protobufjs/protobuf.js/security/advisories/GHSA-xq3m-2v4x-88gg

#VU126312 Code Injection in protobuf.js

Description

Remediation

External links

Please verify you're human